In recent years, malicious programs or software, also referred to as malware, has taken on numerous new forms and advanced in capabilities at an increasing rate. Software tools exist to detect and eliminate these threats, as well as to mitigate or remediate any harm that they cause to an end-user's computing device. Some forms of malicious software can delete files from the computing device and/or render files inaccessible without the end-user's knowledge or consent.
Malware can be any program that performs harmful or potentially harmful activity on a computer, generally without the knowledge and/or consent of the user. Malware includes, but is not limited to, viruses, Trojan horses, backdoors, keyloggers, rootkits, ransomware, remote-access tools, worms, and exploits. Malware can perform various functions, such as the modification of a user's personal files or eavesdropping on a user's activity. Ransomware is an example form of malware in which a user's data is made inaccessible, either via deletion or modification (e.g., via encryption or corruption), and held for ransom (e.g., until a payment for the return of the data is made).
Asymmetric ransomware prototypes were designed to show how cryptography can be used to mount extortion-based attacks that cause a loss of access to information and information leakage. Public-key cryptography can also be used for computer attacks, and usage of multiple keys in asymmetric public key cryptography allows ransomware to encrypt items on a system with a public key while never exposing the private key, thus keeping the private key a secret. For ransomware, encryption using a public key while keeping the private key secret is essential for “mangling” data files without exposing information that someone could use to figure out how to undo the encryption.
Occurrence of ransomware has increased with the advent of Bitcoin. Bitcoin is a digital asset and payment system providing a decentralized digital currency and anonymity in commercial transactions. The decentralized, anonymous nature of Bitcoin make Bitcoin very attractive to ransomware developers as a payment method for their ransomware schemes. Ransomware developers have begun incorporating a Bitcoin transaction into their ransomware.
For example, there is no central bank or authority for Bitcoin currency, so Bitcoin value cannot be manipulated by any such authority. Additionally, people conducting a Bitcoin transaction have a significant amount of privacy. Bitcoin networks are pseudonymous, and there is no easy way to link Bitcoin account addresses to real-world identities. Bitcoin currency can be sent across borders, and transactions are not location-specific. Further, basic Bitcoin transactions are irreversible. Once a transfer is made, there is no way for a third party to force a chargeback (as with a credit card). Recently, new, unique ransomware binaries have spiked based on easier involvement in the ransomware process through Bitcoin payments and more difficult detection of ransomware binaries. With ransomware-as-a-service, for example, an affiliate need not possess a particular programming or other technical skill but rather have a willingness to spread the ransomware (e.g., through email botnets that are easy for a non-programmer to set up, etc.).
Encouraged by the lucrative business model and possibility for revenue sharing, ransomware authors have made it difficult to detect ransomware binaries using traditional antivirus software. Highly polymorphic code and code obfuscation/encryption techniques render ransomware difficult for a signature-based scanner to detect. Additionally, due to a very highly parallel processing ability, a ransomware process takes little time to infect a target system, making it harder for a behavioral (e.g., machine learning-based) antivirus scanner to detect.
The figures are not to scale. Wherever possible, the same reference numbers will be used throughout the drawing(s) and accompanying written description to refer to the same or like parts.